mpv
mpv copied to clipboard
mpv-player
AddressSanitizer: heap-buffer-overflow in filter_and_add sd_ass.c:379
mpv Information
mpv version: git-2024-10-06-7ca5fd2-dirty
FFmpeg version: git-2024-10-05-099f88b
Other Information
N/A
Reproduction Steps
- Happened once related to exiting.
- Could not reproduce.
- May be related to #13525.
https://github.com/mpv-player/mpv/blob/master/sub/sd_ass.c#L379
// Note: pkt is not necessarily a fully valid refcounted packet.
// static void filter_and_add(struct sd *sd, struct demux_packet *pkt)
pkt->animated = ctx->packets_animated[pkt->seen_pos]; // 379
Expected Behavior
No crash
Actual Behavior
Crash
Log File
Sample Files
N/A
I carefully read all instruction and confirm that I did the following:
- [X] I tested with the latest mpv version to validate that the issue is not already fixed.
- [X] I provided all required information including system and mpv version.
- [X] I produced the log file with the exact same set of files, parameters, and conditions used in "Reproduction Steps", with the addition of
--log-file=output.txt. - [X] I produced the log file while the behaviors described in "Actual Behavior" were actively observed.
- [X] I attached the full, untruncated log file.
- [X] I attached the backtrace in the case of a crash.
@Dudemanguy any idea on this one. pinging you since you were the last one looking at that part of the code, i believe.
Not sure about this one. Seems like an obscure race of sorts? It looks like you manage to hit the redecode path while quitting which shouldn't matter but something is going wrong somewhere. The packet is detected as seen which means it should have been been added ctx->packets_animated already but it seems it wasn't and overflows. I tried some naive attempts at replicating redecoding while quitting and no dice.
Although we are probably redecoding packets more than necessary now that I look at this again.
Not a fix but with #15094, the code path you took to trigger this crash won't happen anymore for the vast majority of files.